We have enforce strong password but it seems some account profile still got hacked. I don't know where the spammer came from. Is this possible they are spoofing Zimbra Admin (which be opened from outside) or does this means they came from webmail (which using https by default)?

Also, is this possible to prevent spammer to change reply-to address and signature by disallow user preferences on Class of services or is there any tips to prevent user preferences modification?

Most likely you have users falling for phishing scams, or users with keylogger viruses on their computers. If they are changing the reply-to settings they are almost surely logging in via the webmail, but you can verify logins (and their source IP/method/etc.) in /opt/zimbra/log/audit.log.

I'm not aware of a way to change permissions to block the reply-to/signature issue. Doing so won't stop them from sending spam from a compromised account though and would be overlooking the real issue (how the accounts are getting compromised).

P.S. Your admin port (7071) should be blocked to the general internet and only allowed through specific IPs (for outside use a VPN is recommended). Even if you don't find that the admin access is how spammers are getting to accounts, I would still strongly recommend blocking outside admin port access.